Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

A pair of Canadian banks reported on May 28 that they are investigating alleged data breaches that could impact up to 90,000 consumers.

The Canadian Imperial Bank of Commerce's (CIBC) Simplii Financial division reported that approximately 40,000 of its customers are at risk, while in a separate incident the Bank of Montreal (BMO) said 50,000 of its customers were potentially exposed in a breach. Currently, it's not clear how the data breaches occurred and for how long the information was exposed.

"On Sunday, May 27, fraudsters contacted BMO claiming that they were in possession of certain personal and financial information for a limited number of customers," BMO wrote in a statement. "We believe they originated the attack from outside the country."

Further reading

CIBC's Simplii Financial issued a similar statement, noting that on May 27 it too received a claim from hackers that they had accessed personal information on clients.

"We're taking this claim seriously and have taken action to further enhance our monitoring and security procedures," Michael Martin, senior vice president at Simplii Financial, stated.

The alleged attackers sent a letter to multiple Canadian media outlets on May 27, claiming that the two banks had until 11:59 p.m. ET to pay a $1 million ransom or the information would be publicly disclosed. The banks did not pay the ransom, and the alleged attackers sent a sample of the information to media outlets including the CBC, which verified that some of the information was accurate. The information included names, account balances, dates of birth and the answers to three security questions needed to validate the account owner.

Remediation

Neither BMO nor CIBC indicated in their respective disclosures how the data was obtained by the attackers. Both banks did note that they have taken steps to limit additional risk.

"We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off," BMO stated.

Both banks recommend that customers be vigilant and check banking statements for any irregularities or indicators of potential fraud. CIBC also recommended that customers make sure they use a complex password in order to access account information.

Industry Reaction

Mukul Kumar, chief information security officer and vice president of Cyber-Practice at Cavirin, said the breach at the Canadian banks is somewhat disturbing.

"You think of traditional credit card and bank breaches, and it has mostly been credit card information," Kumar told eWEEK. "But this is deeper financial information."

Kumar said that the big question with these incidents is if this is a breach of the bank or a breach via other means. He added that it's imperative that the banks understand where the threat came from, as the data that was stolen included Social Security numbers (SSN), dates of birth and other personally identifiable information.

"In the U.S., members of Congress have called for more secure forms of identification," Kumar said. "We're at the point now where we need to do more work with post-SSN identification and how it can be better secured."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.